MOVEit Transfer pack enhancement

Packs/CVE_2023_34362_-_MOVEit_SQLI/Playbooks/playbook-CVE-2023-34362_-_MOVEit_Transfer_SQL_Injection_README.md

@@ -32,10 +32,16 @@ Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injectio
 - Sigma rules download
 
 **Hunting:**
-- Microsoft PowerShell hunting script
-- Advanced SIEM hunting queries
+- Cortex XDR XQL exploitation patterns hunting
+- Cortex Xpanse external facing instances hunting
+- Advanced SIEM exploitation patterns hunting
 - Indicators hunting
 
+The hunting queries are searching for the following activities:
+  - ASPX file creation by w3wp.exe
+  - IIS compiling binaries via the csc.exe on behalf of the MOVEit
+  - Detects get requests to specific exploitation related files
+
 **Mitigations:**
 - Progress official CVE-2023-34362 patch
 - Progress mitigation measures
@@ -46,9 +52,9 @@ Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injectio
 
 **References:**
 
-[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)
+[CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief](https://unit42.paloaltonetworks.com/threat-brief-moveit-cve-2023-34362/)
 
-[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)
+[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)
 
 Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve.
 
@@ -58,42 +64,45 @@ This playbook uses the following sub-playbooks, integrations, and scripts.
 
 ### Sub-playbooks
 
+* Detects get requests to specific exploitation related files
+* Rapid Breach Response - Set Incident Info
 * Block Indicators - Generic v3
-* QRadarFullSearch
+* ASPX file creation by w3wp.exe
 * Threat Hunting - Generic
-* Rapid Breach Response - Set Incident Info
+* IIS compiling binaries via the csc.exe on behalf of the MOVEit
 
 ### Integrations
 
 This playbook does not use any integrations.
 
 ### Scripts
 
-* HttpV2
 * CreateNewIndicatorsOnly
+* HttpV2
 * ParseHTMLIndicators
 
 ### Commands
 
-* xdr-xql-generic-query
-* associateIndicatorsToIncident
-* extractIndicators
 * es-eql-search
-* azure-log-analytics-execute-query
 * splunk-search
+* azure-log-analytics-execute-query
+* expanse-get-issues
+* extractIndicators
+* xdr-xql-generic-query
 
 ## Playbook Inputs
 
 ---
 
 | **Name** | **Description** | **Default Value** | **Required** |
 | --- | --- | --- | --- |
-| PlaybookDescription | The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook. | ### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.<br/><br/>#### Summary <br/><br/>A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.<br/><br/>To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.<br/><br/>#### Affected Products <br/><br/><br/>\| Affected Version               \| Fixed Version             \| Documentation                       \|<br/>\|-------------------------------\|---------------------------\|-------------------------------------\|<br/>\| MOVEit Transfer 2023.0.0 (15.0) \| MOVEit Transfer 2023.0.1 \| [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) \|<br/>\| MOVEit Transfer 2022.1.x (14.1) \| MOVEit Transfer 2022.1.5 \| [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) \|<br/>\| MOVEit Transfer 2022.0.x (14.0) \| MOVEit Transfer 2022.0.4 \| [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) \|<br/>\| MOVEit Transfer 2021.1.x (13.1) \| MOVEit Transfer 2021.1.4 \| [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) \|<br/>\| MOVEit Transfer 2021.0.x (13.0) \| MOVEit Transfer 2021.0.6 \| [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) \|<br/>\| MOVEit Transfer 2020.1.x (12.1) \| Special Patch Available   \| See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) \|<br/>\| MOVEit Transfer 2020.0.x (12.0) or older \| MUST upgrade to a supported version \| See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) \|<br/><br/><br/>**This playbook should be triggered manually or can be configured as a job.** <br/><br/>Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type.<br/><br/>**The playbook includes the following tasks:**<br/><br/>**IoCs Collection**<br/>- Blog IoCs download<br/>- Yara Rules download<br/>- Sigma rules download<br/><br/>**Hunting:**<br/>- Microsoft PowerShell hunting script<br/>- Advanced SIEM hunting queries<br/>- Indicators hunting<br/><br/>**Mitigations:**<br/>- Progress official CVE-2023-34362 patch<br/>- Progress mitigation measures<br/>- Detection Rules<br/>    - Yara<br/>    - Sigma<br/><br/><br/>**References:**<br/><br/>[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)<br/>[MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response](https://www.huntress.com/blog/moveit-transfer-critical-vulnerability-rapid-response)<br/><br/>Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional |
+| PlaybookDescription | The playbook description to be used in the Rapid Breach Response - Set Incident Info sub-playbook. | ### CVE-2023-34362 - Critical SQL Injection vulnerability in MOVEit Transfer.<br/><br/>#### Summary <br/><br/>A critical vulnerability has been identified in MOVEit Transfer, a managed file transfer solution. The vulnerability affects versions prior to the latest release and involves improper input validation. Exploiting this vulnerability can lead to remote execution of arbitrary code, potentially resulting in unauthorized access and compromise of sensitive data.<br/><br/>To mitigate the risk associated with this vulnerability, it is crucial for users to update to the latest version of MOVEit Transfer that includes necessary security patches.<br/><br/>#### Affected Products <br/><br/><br/>\| Affected Version               \| Fixed Version             \| Documentation                       \|<br/>\|-------------------------------\|---------------------------\|-------------------------------------\|<br/>\| MOVEit Transfer 2023.0.0 (15.0) \| MOVEit Transfer 2023.0.1 \| [MOVEit 2023 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2023/Upgrade/) \|<br/>\| MOVEit Transfer 2022.1.x (14.1) \| MOVEit Transfer 2022.1.5 \| [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) \|<br/>\| MOVEit Transfer 2022.0.x (14.0) \| MOVEit Transfer 2022.0.4 \| [MOVEit 2022 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2022/Upgrade/) \|<br/>\| MOVEit Transfer 2021.1.x (13.1) \| MOVEit Transfer 2021.1.4 \| [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) \|<br/>\| MOVEit Transfer 2021.0.x (13.0) \| MOVEit Transfer 2021.0.6 \| [MOVEit 2021 Upgrade Documentation](https://docs.ipswitch.com/MOVEit/2021/Upgrade/) \|<br/>\| MOVEit Transfer 2020.1.x (12.1) \| Special Patch Available   \| See [KB 000234559](https://docs.ipswitch.com/MOVEit/2020/234559.htm) \|<br/>\| MOVEit Transfer 2020.0.x (12.0) or older \| MUST upgrade to a supported version \| See [MOVEit Transfer Upgrade and Migration Guide](https://docs.ipswitch.com/MOVEit/Transfer2021/UpgradeGuide/) \|<br/><br/><br/>**This playbook should be triggered manually or can be configured as a job.** <br/><br/>Please create a new incident and choose the CVE-2023-34362 - MOVEit SQL Injection playbook and Rapid Breach Response incident type.<br/><br/>**The playbook includes the following tasks:**<br/><br/>**IoCs Collection**<br/>- Blog IoCs download<br/>- Yara Rules download<br/>- Sigma rules download<br/><br/>**Hunting:**<br/>- Cortex XDR XQL exploitation patterns hunting<br/>- Cortex Xpanse external facing instances hunting<br/>- Advanced SIEM exploitation patterns hunting<br/>- Indicators hunting<br/><br/>The hunting queries are searching for the following activities:<br/>  - ASPX file creation by w3wp.exe<br/>  - IIS compiling binaries via the csc.exe on behalf of the MOVEit<br/>  - Detects get requests to specific exploitation related files<br/><br/>**Mitigations:**<br/>- Progress official CVE-2023-34362 patch<br/>- Progress mitigation measures<br/>- Detection Rules<br/>    - Yara<br/>    - Sigma<br/><br/><br/>**References:**<br/><br/>[CVE-2023-34362: MOVEit Transfer SQL Injection Vulnerability Threat Brief](https://unit42.paloaltonetworks.com/threat-brief-moveit-cve-2023-34362/)<br/><br/>[MOVEit Transfer Critical Vulnerability (May 2023)](https://community.progress.com/s/article/MOVEit-Transfer-Critical-Vulnerability-31May2023)<br/><br/>Note: This is a beta playbook, which lets you implement and test pre-release software. Since the playbook is beta, it might contain bugs. Updates to the pack during the beta phase might include non-backward compatible features. We appreciate your feedback on the quality and usability of the pack to help us identify issues, fix them, and continually improve. | Optional |
 | autoBlockIndicators | Wether to block the indicators automatically. | False | Optional |
 | QRadarTimeRange | The time range for the QRadar queries. | Last 10 Days | Optional |
 | SplunkEarliestTime | The time range for the Splunk queries. | -10d@d | Optional |
 | ElasticEarliestTime | The time range for the Elastic queries. | now-7d/d | Optional |
 | LogAnalyticsTimespan | The time range for the Azure Log Analytics queries. | 10d | Optional |
+| XQLTimeRange | The time range for the XQL queries. | 2 hours ago | Optional |
 | ElasticIndex | The elastic index to search in. |  | Optional |
 
 ## Playbook Outputs

Packs/CVE_2023_34362_-_MOVEit_SQLI/README.md

@@ -16,10 +16,16 @@ To mitigate the risk associated with this vulnerability, it is crucial for users
 - Sigma rules download
 
 **Hunting:**
-- Microsoft PowerShell hunting script
-- Advanced SIEM hunting queries
+- Cortex XDR XQL exploitation patterns hunting
+- Cortex Xpanse external facing instances hunting
+- Advanced SIEM exploitation patterns hunting
 - Indicators hunting
 
+The hunting queries are searching for the following activities:
+  - ASPX file creation by w3wp.exe
+  - IIS compiling binaries via the csc.exe on behalf of the MOVEit
+  - Detects get requests to specific exploitation related files
+
 **Mitigations:**
 - Progress official CVE-2023-34362 patch
 - Progress mitigation measures

Packs/CVE_2023_34362_-_MOVEit_SQLI/ReleaseNotes/1_0_1.md

@@ -0,0 +1,8 @@
+
+#### Playbooks
+
+##### CVE-2023-34362 - MOVEit Transfer SQL Injection
+
+- Added the Unit42 threat brief
+- Added the Cortex Xpanse coverage
+- Fixes the playbook description

Packs/CVE_2023_34362_-_MOVEit_SQLI/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "CVE-2023-34362 - MOVEit Transfer SQL Injection",
     "description": "This pack handles MOVEit Transfer SQL Injection CVE-2023-34362 vulnerability",
     "support": "xsoar",
-    "currentVersion": "1.0.0",
+    "currentVersion": "1.0.1",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",

Packs/MajorBreachesInvestigationandResponse/ReleaseNotes/1_6_31.md

@@ -0,0 +1,4 @@
+##### CVE-2023-34362 - MOVEit Transfer SQL Injection
+- New pack which handles CVE-2023-34362 - MOVEit Transfer SQL Injection investigation and response.
+  This pack can be installed by checking the box when updating the Rapid Breach Response pack (optional dependency) or by installing it directly via
+  our Marketplace.

Packs/MajorBreachesInvestigationandResponse/pack_metadata.json

@@ -2,7 +2,7 @@
     "name": "Rapid Breach Response",
     "description": "This content Pack helps you collect, investigate, and remediate incidents related to major breaches.",
     "support": "xsoar",
-    "currentVersion": "1.6.30",
+    "currentVersion": "1.6.31",
     "author": "Cortex XSOAR",
     "url": "https://www.paloaltonetworks.com/cortex",
     "email": "",
@@ -94,6 +94,10 @@
             "mandatory": false,
             "display_name": "3CXDesktopApp Supply Chain Attack"
         },
+        "CVE_2023_34362_-_MOVEit_SQLI": {
+            "mandatory": false,
+            "display_name": "CVE-2023-34362 - MOVEit Transfer SQL Injection"
+        },
         "ServiceNow": {
             "mandatory": false,
             "display_name": "ServiceNow"